Protected B 


Incident Post Mortem: 2 RO Credential Phish 


Issue Summary 




* 

An RO's credentials (network login name and password) were phished (stolen on the internet). 

Timeline 




• 

Issue reported and dealt with on August 13, 2015 



• 

16 (2) (c) 



Root Cause 




• 

• 

16(2) (c) 


Reso 

ution and recovery 




• 

The user's password was reset immediately and investigation started. No evidence that a 

breach has occurred was found. 

Corrective and Preventative Measures 



* 

Increase awareness anc 

16(2) (c),21 (1) (a) 


• 

Continue the phishing campaign 
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Protected B 


Incident Post Mortem: 4 RO Phish #2 


Issue Summary 


The ROTC were notified by the AC in ED 48015 that they had fallen victim to a phishing attack. 

The VM was immediately shut down and it was determined that suspicious activitie s had _ 

occurred. The VM was purged, all system were scanned! with our security software, 


16 (2){c) 


16 (2)(c> 


and we re-installed the Guest image from the nightly back-up with the assistance 


from our colleagues in ITA5. 


Timeline 

* Issue reported August 17, 2015 


Root Cause 
16(2,(c, 


Resolution and recovery 

* Investigation found that the AC had brought their home laptop, plugged it into the ROTC 
network, then opened their personal webmail, then clicked on a phishing site. With the 
machine being wiped clean it was difficult to perform more analysis of what happened, but on 
the network we are all clear. 


Corrective and Preventative Measures 


Increase awareness anc 


16 (2) (c).21 (1) (a) 
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Incident Post Mortem: 5 Suspicious Employee 


Issue Summary 

* An employee who had been dismissed had been acting "suspicious" by insisting on taking his all- 
in-one computer with him when he was moved from cubicle to cubicle. After he was dismissed 
it was decided to investigate. 

Timeline 

• August 18, 2015 issue was reported to JTSec team 


Root Cause 

16(2) (c) 

* ■ 


Resolution and recovery 

* First findings found a VM had been installed, and several pieces of software and media were 
downloaded (many illegally) and most likely installed on this VM. No media downloads seemed 
to indicate they were illegal other than copyright infringement. Unable to get into VM without 
more work. It was decided to end the investigation at that point. 


Corrective and Preventative Measures 


Increase awareness anc 


16(2) (c),21 (1) (a) 
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Incident Post Mortem: 6 DropBox issue 


Issue Summary 


On August 17th 2015, EC system 16 (2) (c),19 (1) 


transferred 


16 (2) (c) 


of 


information to Dropbox between 2:08:51 PM and 2:18:55 PM. The user was contacted and 
confirmed that it was EC data. The user was contacted and asked to delete the information and 
discontinue use of Dropbox. 


Timeline 

16 (2Met 

• Issue detected by on August 18, 2015 


* 



Root Cause 

• 

16 (2) (c) 

Resolution and recovery 

* 

16 (2) (c) 


Corrective and Preventative Measures 

* Awareness and 


16 (2) (c) f 21 (1) (a) 


16(2) (c) 
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Incident Post Mortem: 10 SQL Injection at Bell 


Issue Summary 

* Someone posted on Reddit that they successfully performed SQL Injection on an EC production 
application; which was then tweeted on twitter. They claimed they had reported it to EC 
(meaning Bell} and that someone had fixed it. Contract App 

Timeline 

* Issue reported September 9, 2015. 

Root Cause 

16 (2 ,(0 


Resolution and recovery 

* Investigation found that the SQL injection did happen; although the information gained was not 
sensitive. The vulnerab le application has been removed and the remaining similar application 

has had a patch applied J 

16 (2) (c) 

Corrective and Preventative Measures 
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Incident Post Mortem: 13 LiveRaiLcom 


Issue Summary 


alerted the ITSec team that senior individuals in our organization were uploading large 
of data to an external site without their knowledge. Some of the data was encrypted, 
and it had gone on at least 7 days and over 600 employees were affected by this situation. 


16 (2)(c) 

amounts 


Timeline 

• Issue was picked up by 


16 {2} (c) 


on September 11, 2015. 


Root Cause 


Click-fraud/aggressive online advertising. 


Resolution and recovery 

* This issue was escalated almost immediately to GC GIRT, who responded by sending someone to 


collect and analyze data 
analysis from GC CIRT 


16(2) (c) 


16 
1211c 


After much 


and the EC ITSec team it was determined that this was not malware, 


it was just click fraud (a website creating fake traffic, for profit, at the expense of our 
bandwidth). During the investigation internet access was shut down to the 10th floor to protect 
the register and the URL in question was blocked, as well as facebook. 


Corrective and Preventative Measures 

• LiveRaiLcom and all other similar style websites are now blocked 

• Department-wide ad blocking is being rolled out, via an intake. 
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Incident Post Mortem: 16 LogMeln 


Issue Summary 

* Several machines have visited and used logmeinxom and other types of services that allow 
users to control their machine from home, passing through this external website. This does not 
follow our Acceptable Use Policy and also presents a possible security risk. 


Timeline 




16 (2) (c) 


picked up the activity on September 29, 2015 


Root Cause 

16 (2) (c) 


Resolution and recovery 


• LogMeln.com and some other sites similar to it were blocked. 


Corrective and Preventative Measures 

* Increase IT security awareness , including the AUP and ITSec policies 

16Cl 21 n 21 
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Incident Post Mortem: 29 IIS Logs Oct 13, Oct 14 



Page 8 of 16 




























Protected B 


Incident Post Mortem: 32 CE15-1016-04 Special Report 
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Incident Post Mortem: 33 CE15-1019-23 ELETC Special Report 
Issue Summary 

* A java/flash malware was reported to have been downloaded on the EC network, several times, 

* 32 people verified as affected 

Timeline 

* Issue reported October 19, 2015 (polling day) 

* Investigation and notifications complete by October 20, 2015 


Root Cause 



Resolution and recovery 


* All users who were possibly affected were notified and asked to change all of their web 

passwords, work and personal. We also changed several passwords for web applications that 
we felt might have been affected, and blocked all sites listed in the report. 

Corrective and Preventative Measures 

. 116(2) (c).21 (1) (a) 
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Incident Post Mortem: 34 Malware detected pop up can't close ID: 525633 


Issue Summary 

* AC Clicked on malicious link accidentally, was infected with Malware, 


Timeline 


• 

Monday October 19, 2015, incident reported, investigated and actioned 


Root Cause 


• 

16 (2) (c) 


Resolution and recovery 


• 

Machine quarantined, and wiped. Network and business server not affected. 


Corrective and Preventative Measures 


• 

• 

16 (2) (c),21 (1) (a) 
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Incident Post Mortem: 38 Virus-malware at 59037 - AAR03 HV ticket 523179 Lenovo 


Issue Summary 

* An employee from an AARO office clicked on a phishing link and their machine was believed to 

be infected with malware. 

Timeline 


• 

October 18, 2015 


Root Cause 


* 

Phishing is common. 


Resolution and recovery 


• 

The machine was removed from the network, the user's password was reset. No damage done. 

Corrective and Preventative Measures 


• 

16(2) (c),21 (1) (a) 
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Sommaire d'incidents enquetes 

Election Canada 2014 - (16 juin) 2017 


2014 (1 incident} 


Date 

Description 

Report 

Available? 

22-Dec-14 

ActivEte suspecte 

N 


2015 (21 incidents) 


Date 

Description 

Report 

Available? 

01-Jan-15 

ActivEte suspecte 

N 

13-Aug-15 

Hameqonnage 

Y (2} 

17-Aug-15 

Hameqonnage 

Y (4) 

1B-Aug-15 

Activite suspecte 

Y (5} 

18-Aug-15 

ActivEte suspecte 

Y (6} 

24-Aug-15 

Vol d'equipement 

Y (36) 

30-Aug-15 

Vol d'equipement 

Y(8) 

03-Sep-15 

Perte d'equipement 

Y(9) 

09-Sep-15 

ActivEte suspecte 

Y (10) 

10-Sep-15 

Vol d'equipement 

Y (12) 

ll-Sep-15 

ActivEte suspecte 

Y (13) 


Date 

Description 

Report 

Available? 

16-Sep-15 

Vol d'equipement 

Y (15} 

29-Sep-15 

Activite suspecte 

V (16) 

06-Oct-15 

ActivEte suspecte 

Y (20) 

13-Oct-15 

ActivEte suspecte 

Y {29} 

15-Oct-15 

ActivEte suspecte 

Y (25) 

lS-Oct-15 

Maliciel 

Y {38} 

19-Oct-15 

ActivEte suspecte 

Y (32) 

19-OcM5 

Maliciel 

Y (33) 

19-Oct-15 

Maliciel 

Y (34) 

24-Dec-15 

Activite suspecte 

Y (A) 


2016 (0 incident) 


Nul 

2017 (0 incident) 


Nul 


Document cree pour la demande d'acces a I'information A2017 00015 
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IIS servers log from the web front end servers were reviewed from December 1st to December 27 th . 
Logs were parsed via a tool with SQL keyword (e.g. SELECT, CAST, DECLARE etc...) 

Parsing results displayed SQL Code injections which had been passed from the IIS web server to the 
SQL Server. 


The results indicate that the attacker gained access through the 
24 th , 2015. 


16(2) (c) 


on Dec 


S u s p iciou$activitypriortoandindudingDec24t| 


16(2) (c),19 (1) 


active Dec 2; targeting multiple paqe^butnot 


16(2) (c),19 (1) 
16 (2) (c).19(1) 


16 (2) (c), 19(1) 


16 (2) (c) 


16 (2) (c) 


I - active Dec 13; targeting 
"activ^Dec^^^a rgeti n g 


active Dec 17 and 24; targeting 


- active Dec 22; targeting 


16 (2) (c),19(1} 


I - active Dec 24; targeting 


16 (2) (c) 


16 (2) (c) 


gained access through the 


Dec 24 th : j”” ~ 

Ujg^ndicat^jhaUhf^ttackeMoperating using at least^H 

111 11 1 | This may have been reconnaissance for a later exfiltration. Teams 

at EC J16 (2) (c) | are working to prove the time and content but suspected traffic can be seen 

from 23:32 GMT 


Dec 26 th : 

Pastebin created claiming to be a sample of compromised data. 

Dec 27 th : 

Reddit thread with link to Pastebin sample of compromised data, and a copy of the same data on Obin 

At 8:53pm CE15-1227-01 ELECTC Possible Data Disclosure message sent to mem ber of the EC IT 
Security staff 

Dec 28 th : 

At 10am EC CIO reaches out to member of the EC IT Sec team indicating that SSC is looking to discuss 
possible incident. 

SSC provides link to Pastebin. E C is able to confirm information is genuine. 

16 (2) (c) 


16 (2) (c) 


Dec 29 th : 

conference call at 1pm (followed by shortened day due to conditions) 


identified the table 



16(2) 

(c) 


were compromised, 


16(2) (c) 


to backup then remove 
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16 (2) (c) 




DAS Lead 

16(2) (c),19 (1) 

engaged to assign DAS team to review server and dbase logs. (Dec 


soc 

27 th )T 


6 (2) (c) f 19 (1) assessing a ^ c F| h IPS/NIPS logs for SQL injections, (Target Dec 26 and Dec 



Dec 30 th : 



Confirmation was also received from NHS that the SQL Servers are not accessible via internet- This 
provides further validation that the vulnerability was a SQL injection. 


Implemented the following activities to contain the threat (Mtce page posted at 6:00 pm with 
user/password and dbases disabled by 7:30 pm): 



P ost a maintenance page for the impacted appli cations. 


16 (2) (c) 


This is intended to be in place temporarily until Monday Jan 4 th when theB 

■eC teams can 


regroup to review the MOP for the pr oposed chan ges to the user account/password- 


Web Server/FW/hilP logs to be sent to ^ (2) ( c ) at EC. (target dates Dec 26/27 th ) Files were 
posted on FTP morning of Dec 31 st 


16 


Monday Jan 4 th , conference call will be scheduled betwee ^ECprimesfECtoconf^m 
names) to discuss the plan and impacts to the applications^^^B^^B^^^^^^^B 
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16 (2) (c) [confirmed that the 


p (2) (c) 

^ - 


16 {2) (c) 


Clean up process will be coordinated with MS web on Monday Jan 


16 (2)(c) 


The investigation to determine the entry point for the hacking is still under investigation , we 
are in the process of reviewing all server logs and SOC team are also doing a deep dive for 
any suspect behavior that might require a new signature. More details will be forthcoming as 
this part of the investigation continues real time. 


16 


Jan 4 th : 

Conference call at 11:00 am between 
to review the issue. Action items include: 


I 'EC team to review next steps. Phil Hopkins now engaged 


16 

( 2 ) 


expanded the IIS/Http Error log review to include (Dec 25 -Dec l $t ) Working backwards. 


-16(2) (c),19(1) 


Copy the IIS+HTTPERR logs ranging from dec 20 th until dec 2 7 th , from all the 
Web servers, on to the FTP server - 


16(2) (c),19 (1) 


16(2) (c) ( 19 (1) 


will provide additional key words t< 16 (2) 

(cM 9 ( 


16 (2) (c) 


to assist in the review. - Prime 


EC Security will provide the VA in a new format to SOC t eam. -116 (2) (c) 


MS Web will provide a complete list of all script folders - ( c ^ 


Prior to any cleanup activities, MS web will perform a complete back up of the SQL server - 


16(2) (c) 


EC will review the application code leveraging the SQL servers - 


16(2) (c) 


A copy of the backup will be zipped and sent to EC. — 116 (2) (c),19 (1) 


EC will review all data with their teams to ensure what data/apps can be deleted. That will 
also determine the apps that will remain and will be impacted by the User/Password 


change. -16 (2) (c) 


A final list of URL's that will use the User/Password (as well as a list of exactly the changes are 


required) to be provided for the implementation plan. 16 (2) (c) 


Implementation plan/dates to be determined based 
possible code change required to support hashing) 


Decision: I 


Jan 5 th : 

16 ( Iconfirmed that on Dec 24 th the investigation indicates that the attacker gained access through the 

16 (2) (c) 


• A copy of ALL dbases on the SQL server were sent to EC 

• ComplainHomn schema and Moodle Schema posted in same FTP Folder. 

• Globally -^^|to provide all details on that source IP, everywhere that it tried to access. 

• EC now in "assessment" phase of the data to better determine their exposure due to this SQL 


Injection. 

• Confirmed that all SQL dbases will remain offline and 

16 (21(c) 
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